When do I need to perform a Risk Assessment?

SAM 5305.7 requires each state entity to conduct a risk assessment every two years or less based on need. It is a best practice to perform a risk assessment when evaluating or developing an information system.